Backport XMLRPC test fixes to ipa-4-3 branch #103
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also move com.redhat.idm.trust-fetch-domains to /usr/libexec/ipa/oddjob. https://fedorahosted.org/freeipa/ticket/5550 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Our custom implementation of pylint checker is often broken by incompatible change on pylint side. Using supported solutions (config file, pylint plugins) should avoid this issue. The plugin adds missing (dynamic) member to classes in abstract syntax tree generated for pylint, instead of just ignoring missing members and all sub-members. This should improve pylint detection of typos and missing members in api. env and test config. make-lint python script has been removed, to run pylint execute 'make lint' https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for any n >= 0: * every server has replication agreement with 2 - 4 other servers. * at least two agreements must fail in order to disconnect the topology. Otherwise there can be server(s) with single agreement on the edge of the topology. Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
In Python 3, the error message from the decimal module is less clear than before. (It's apparently the price to pay for speed -- Python3 uses libmpdec as its Decimal implementation by default.) Don't check for the exact error message. https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python defaults to 'w+b', but all callers in IPA write use text (as opposed to bytes). https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Use binascii.hexlify instead of encode('hex')
- Keep the library name as a text string instead of encoding to bytes
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The import was accidentally removed in commit 9a3d5fd. https://fedorahosted.org/freeipa/ticket/5638
To be consistent with backend code. https://fedorahosted.org/freeipa/ticket/5622 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] apache/tomcat@707ab1c Fixes: https://fedorahosted.org/freeipa/ticket/5578 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/5587 Reviewed-By: David Kupka <dkupka@redhat.com>
During IPA server upgrade, the migration of Dogtag profiles into LDAP backend was bound to the update of CS.cfg which enabled the LDAP profile subsystem. If the subsequent profile migration failed, the subsequent upgrades were not executing the migration code leaving CA subsystem in broken state. Therefore the migration code path should be executed regardless of the status of the main Dogtag config file. https://fedorahosted.org/freeipa/ticket/5682 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New checks have been introduced in pylint 1.5 and many of them are not compatible with IPA code or produce false positives. Disable them all. Note: due older versions of pylint, new checks cannot be disabled locally, must be disabled globally. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
Py3 does not support iter* methods, this commit replaces 2 occurencies of iteritems() to items(). The dictionaries there are not big, this is sufficient we do not need to use six. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Every site consist of at least two replicas and is connected to two other sites. Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to configuration of sidgen and extdom plugins. This cause that SID are not properly configured. Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task against IPA domain (if exists). All trusts added when plugins configuration was broken must be re-added. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
Trust entries were found by presence of ipaNTSecurityIdentifier attribute. Unfortunately this attribute might not be there due the bug. As replacement for this, attribute ipaNTTrustPartner can be used. Note: other non trust entries located in cn=trusts subtree can be cross-realm principals. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
Detect missing ipaNTSecurityIdentifier and print message for a user, that the trust is broken as result of trust-show and trust-find commands. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
DS restart executed by upgrade plugin causes that upgrade framework is waiting for the improper socket. It leads to TimeoutError because DS is not listening on 389 port during upgrade. This commit fixes the issue. Required for: https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
Two tests in xmlrpc/automember suite were failing as a result of manager data normalization in user attributes. Tests are fixed to reflect the change. https://fedorahosted.org/freeipa/ticket/6147 Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus returns OK. The ca_status() function defaults to api.env.ca_host as host. On a replica without CA ca_host is a remote host (e.g. master's FQDN). ipa-ca-install waits for master:8080 instead of replica:8080, which might be blocked by a firewall. https://fedorahosted.org/freeipa/ticket/6016 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
The code which loads the external CA cert chain was never executed because of an incorrect usage of an iterator (iterating over it twice). https://fedorahosted.org/freeipa/ticket/6166 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-replica-prepare must be run on a replica with CA or all the certs needs to be provided (for CA-less case). The old messages were utterly confusing because they mixed errors about missing certs and missing local CA instance into one text. https://fedorahosted.org/freeipa/ticket/6134 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ben Lipton <blipton@redhat.com>
https://fedorahosted.org/freeipa/ticket/6167 Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove the conflict, as bind-chroot caused issue only on systems with older bind and bind-chroot - e.g. RHEL 6. This reverts commit 3ab63fa. https://fedorahosted.org/freeipa/ticket/5696 Reviewed-By: Petr Spacek <pspacek@redhat.com>
usage of ipautil.run in get_pem methond of ca-less tests was not refactored when the ipautil.run was refactored in 099cf98 This results in failure of all CA-less test. https://fedorahosted.org/freeipa/ticket/6177 Reviewed-By: Martin Basti <mbasti@redhat.com>
Test that CRL URI and OCSP URI are present and correct in generated certificate. https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Lenka Doudova <ldoudova@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0 [https://fedorahosted.org/freeipa/ticket/6134] Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
Previously, update_dnsforward_emptyzones failed with an exeception if DNS query failed for some reason. Now the error is logged and upgrade continues. I assume that this is okay because the DNS query is used as heuristics of last resort in the upgrade logic and failure to do so should not have catastrophics consequences: In the worst case, the admin needs to manually change forwarding policy from 'first' to 'only'. In the end I have decided not to auto-start BIND because BIND depends on GSSAPI for authentication, which in turn depends on KDC ... Alternative like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to accept LDAP external bind from named user are too complicated. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Basti <mbasti@redhat.com>
The 'cert_revoke' command checks the 'revoke certificate' permission, however, if an ACIError is raised, it then invokes the 'cert_show' command. The rational was to re-use a "host manages certificate" check that is part of the 'cert_show' command, however, it is sufficient that 'cert_show' executes successfully for 'cert_revoke' to recover from the ACIError continue. Therefore, anyone with 'retrieve certificate' permission can revoke *any* certificate and cause various kinds of DoS. Fix the problem by extracting the "host manages certificate" check to its own method and explicitly calling it from 'cert_revoke'. Fixes: https://fedorahosted.org/freeipa/ticket/6232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Because Samba Python bindings provide long-named methods and constants, sometimes it is impossible to fit into 80 columns without causing damage to readability of the code. This patchset attempts to reduce pep8 complaints to a minimum. https://fedorahosted.org/freeipa/ticket/6076 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For configuration where:
- AD example.com trusts IPA at ipa.example.com
- AD example.org trusts AD example.com
- a trust is tried to be established between ipa.example.com and
example.org,
there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.
This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.
A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:
1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
2. Establish trust between ipa.example.com and example.org
It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.
This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:
1. Attempt to establish trust and update trust topology information.
2. If trust topology conflict is detected as result of (1):
2.1. Fetch trust topology infromation for the conflicting forest
trust
2.2. Add exclusion entry to our domain to the trust topology obtained
in (2.1)
2.3. Update trust topology for the conflicting forest trust
3. Re-establish trust between ipa.example.com and example.org
We cannot do the same for shared secret trust and for external trust,
though:
1. For shared secret trust we don't have administrative credentials
in the forest reporting the conflict
2. For the external trust we cannot set topology information due to
MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
definition and thus setting topology information will fail.
To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.
Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
…exists ID ranges for child domains of a forest trust were created incorrectly in FreeIPA 4.4.0 due to refactoring of -- if the domain was already existing, we never attempted to create the ID range for it. At the same time, when domain was missing, we attempted to add ID range and passed both forest root and the child domain names to add_range(). However, add_range() only looks at the first positional argument which was the forest root name. That ID range always exists (it is created before child domains are processed). Modify the code to make sure child domain name is passed as the first positional argument. In addition, the oddjob helper should explicitly set context='server' so that idrange code will be able to see and use ipaserver/dcerpc.py helpers. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In terms of cross-forest trust parent domain is the root domain of the forest because we only have trust established with the forest root. In FreeIPA LDAP store all sub-domains stored in cn=<forest root>, cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the forest root domain. This allows us to simplify logic of finding the parent domain. For complex hierachical forests with more than two levels of sub-domains, this will still be true because of the forest trust: as forest trust is established to the forest root domain, any communication to any sub-domain must traverse forest root domain's domain controller. Note that SSSD also generated incorrectly CA paths information for forests with non-hierarchical tree-roots. In such cases IPA KDC got confused and mistakenly assumed direct trust to the non-hierarchical tree-root instead of going through the forest root domain. See https://fedorahosted.org/sssd/ticket/3103 for details. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This fixes pylint failing on import errors during 'lint' phase of build. https://fedorahosted.org/freeipa/ticket/6244 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6056 Reviewed-By: Martin Basti <mbasti@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified. Currently if an invalid netbios name in form of empty string is specified, the installation proceeds, but changes the invalid value to a netbios name determined from domain name without any notification. Fixing this so that any attempt to supply empty string as netbios name fails with error in case of unattended installation, or to request input of valid netbios name from command line during normal installation. https://fedorahosted.org/freeipa/ticket/6120 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
domainlevel method is called upon each master uninstallation. Sometimes the master uninstallation is called from within teardown method of some tests when the master was not in fact installed, in which case the kinit_admin would always raise an error. https://fedorahosted.org/freeipa/ticket/6254 Reviewed-By: Martin Basti <mbasti@redhat.com>
When running test_install/test_updates and test_pkcs10/test_pkcs10 as outoftree, these are skipped with reason 'Unable to find test update files'. For outoftree tests wrong paths are checked for these files. Changing file localization to provide proper test setup. https://fedorahosted.org/freeipa/ticket/6284 Reviewed-By: Martin Basti <mbasti@redhat.com>
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
https://fedorahosted.org/freeipa/ticket/6287 Reviewed-By: Martin Basti <mbasti@redhat.com>
Adding 'defaults' sudorule to prevent requesting further user authentication. Adding checks that if a user should be rejected access, a proper error message is displayed. https://fedorahosted.org/freeipa/ticket/6262 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Some upgrade steps require bind running, to be succesfull. Upgrader makes sure that bind starts. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For some reasons named may not be runnig and this cause fail of this upgrade step. This step is not critical so only ERROR message with recommendation is shown. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Backup and restore trust flags of existing certificates during CA installation. This prevents marking a previously trusted certificate as untrusted, as was the case when CA-less was converted to CA-full with external CA when using the same certificate. https://fedorahosted.org/freeipa/ticket/5791 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. https://fedorahosted.org/freeipa/ticket/6199 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin was using DNS zone 'fwzone2.test.' and expected to get warning 'Forwarding policy conflicts with some automatic empty zones.' (aka 'DNSForwardPolicyConflictWithEmptyZone'). This does not make sense because 'test.' zone is not listed in IANA registry 'Locally-Served DNS Zones': http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml To fix this I simply removed the warning from set of expected results. https://fedorahosted.org/freeipa/ticket/6213 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://fedorahosted.org/freeipa/ticket/6316
https://fedorahosted.org/freeipa/ticket/6317